1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular, to a computer implemented method for performing access control in a data processing system. Still more particularly, the present invention relates to a computer implemented method, system, and computer usable program code for token caching in trust chain processing.
2. Description of the Related Art
Data processing systems and applications executing thereon interact with each other in a data processing environment. Often, such interactions have to pass some type of security system so that only authorized data processing systems and applications are permitted to interact with each other in the data processing environment.
A variety of security systems is available for use in data processing environments. Some security systems verify the identity of a data processing system, an application, or a user, such as by using digital signatures. Other security systems verify the identity as well as authorization of a data processing system, an application, or a user to engage in the interaction in question. For example, a security system may use a combination of digital signature, encryption keys, and access control parameters to perform this level of security enforcement.
Still other security systems employ a structured method of presenting and processing security related information. The structured presentation of security related information is called a security token. This information may be contained within a message. The message may be consistent with standard-based descriptions, such as those provided by web services specifications, for example, WS-Security and WS-Trust specifications. For example, WS-Security specification describes how to include a pre-defined part of a message, such as a security header dedicated to carrying security information, into the message. As another example, WS-Trust specification defines how to structure information within the security header defined by the WS-Security specification.
Processing of security information included within a message according to these standards based definitions requires several steps and may be completed through functionality provided by a trust server. A Trust Server is an application that processes this security information through a process known as trust chain processing.
One such structured method of presenting this security information is a security token format defined by the Security Assertion Markup Language (SAML). SAML is an extensible markup language (XML) based organization of authentication and authorization information exchanged between, and within, security domains.
A security token in an organization of security information in a predefined format. The security information presented in a SAML-defined security token is called a SAML token. A SAML token is also known as a SAML assertion. The processing of the security information presented in this manner is called SAML token processing. Processing of security information represented by a SAML token often requires more than one step and may be completed by a trust server.
A security domain is a data processing environment, bound by a trust relationship, within which a given security token may be used. Information passed across security domains requires additional trust relationships to ensure that information valid in one domain can be trusted in another domain. A security domain may pass security tokens, such as SAML token, within a security domain or to another security domain when a data processing system, an application, or a user in the first security domain requests to access data, functionality, or services provided by the other security domain. Security domains include the security infrastructure capable of performing security token processing and assessing the authentication and authorization parameters of the requesting data processing system, application, or user.